Re: [Wireshark-dev] Decompress Data
On Fri, 7 Oct 2011 09:34:53 -0600, Stephen Fisher
st...@stephen-fisher.com wrote:
On Fri, Oct 07, 2011 at 11:31:24AM +0200, Marcel Haas wrote:
I have some packets witch are compress witz zlib.
I want to uncompress them.
Take a look at the tvb_uncompress() or tvb_child_uncompress()
functions
in epan/tvbuff.c. An example of tvb_child_uncompress() is in the
HTTP
dissector, epan/dissectors/packet-http.c.
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Iam using the tvb_umcompress function now.
Code:
if(compress==67){
offset2=loh+20;
compress_tvb=tvb_uncompress(tvb,offset2,tvb_length(tvb));
add_new_data_source(pinfo,compress_tvb,Decompressed TVB);
}
But it didnt work ..i get a failer when i get a uncompress packet.
[Malformed Packet:NOS]
[Expert Info (Error/Malformed):Malformed Packet (Exception
occurred)]
I guess that means i cant uncompress my packet with that function ?
___
Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Decompress Data
On Fri, 7 Oct 2011 09:34:53 -0600, Stephen Fisher st...@stephen-fisher.com wrote: On Fri, Oct 07, 2011 at 11:31:24AM +0200, Marcel Haas wrote: I have some packets witch are compress witz zlib. I want to uncompress them. Take a look at the tvb_uncompress() or tvb_child_uncompress() functions in epan/tvbuff.c. An example of tvb_child_uncompress() is in the HTTP dissector, epan/dissectors/packet-http.c. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe hmm okay it seems to do the right way if i make it like that next_tvb =tvb_new_subset(tvb,offset2,-1,-1); compress_tvb=tvb_uncompress(next_tvb,0,tvb_length(next_tvb)); add_new_data_source(pinfo,compress_tvb,Decompressed TVB); ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Decompress Data
And i have the next problem. Damn wireshark kick my ass :) I have some packets witch are compress witz zlib. I want to uncompress them. I read the dev-guid about transformed data but i dont have a clue. I were testing some stuff but with no good result. Can someone help me with that ? thx and regards Marcel ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Decompress Data
2011/10/7 Marcel Haas inf...@fh-worms.de: And i have the next problem. Damn wireshark kick my ass :) I have some packets witch are compress witz zlib. I want to uncompress them. I read the dev-guid about transformed data but i dont have a clue. I were testing some stuff but with no good result. Can someone help me with that ? It is simple. 1) You have to know the size of decompressed data, e.g. in buffer_size variable. 2) Alloc the buffer of needed size for it using e.g. se_alloc, e.g. you have pointer to alloced buffer called buffer_ptr. 3) Decompress you data into that buffer. 4) call child_tvb = tvb_new_child_real_data(current_tvb, buffer_ptr, buffer_size, buffer_size); 5) call add_new_data_source(pinfo, child_tvb, Decompressed Data); 6*) Optionally you can dissect child_tvb as any usual TVB. In the GUI you'll get the decompressed data into another tab called Decompressed Data or any other name you provide in step 5. -- Max ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Decompress Data
On Fri, 7 Oct 2011 13:51:13 +0400, Max Dmitrichenko dmitr...@gmail.com wrote: 2011/10/7 Marcel Haas inf...@fh-worms.de: And i have the next problem. Damn wireshark kick my ass :) I have some packets witch are compress witz zlib. I want to uncompress them. I read the dev-guid about transformed data but i dont have a clue. I were testing some stuff but with no good result. Can someone help me with that ? It is simple. 1) You have to know the size of decompressed data, e.g. in buffer_size variable. 2) Alloc the buffer of needed size for it using e.g. se_alloc, e.g. you have pointer to alloced buffer called buffer_ptr. 3) Decompress you data into that buffer. 4) call child_tvb = tvb_new_child_real_data(current_tvb, buffer_ptr, buffer_size, buffer_size); 5) call add_new_data_source(pinfo, child_tvb, Decompressed Data); 6*) Optionally you can dissect child_tvb as any usual TVB. In the GUI you'll get the decompressed data into another tab called Decompressed Data or any other name you provide in step 5. -- Max ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe hmm i dont get it at all .. my code looks like this : guint8 *buff; tvbuff_t *compress_tvb; int captured_size; captured_size=tvb_length_remaining(tvb, offset2); //I think that what u mean by 1 buff= g_malloc(captured_size); // step 2 ? compress_tvb=tvb_new_real_data(buff,captured_size,captured_size);// step 4 ? tvb_set_free_cb(compress_tvb,g_free); // step 4 ? tvb_set_child_real_data_tvbuff(tvb,compress_tvb); // step 4 ? add_new_data_source(pinfo,compress_tvb,Decompressed TVB); //step 5 ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Decompress Data
I have a example from my plugin if it may help: unsigned char Ip_Buffer[2000]; /* Get the buffer bytes to decompress */ tvb_memcpy(tvb, Ip_Buffer, (*bitoffset)/8,lgpdubit/8); /* * Decompress it: * Decompressed buffer is output in Op_Buffer, * size of the decompressed buffer (in bit in this case) in SizeInBits */ */ rc = decompress(Ip_Buffer, lgpdubit - ((8-bitnb) % 8), (Op_Buffer), O_SizeInBits); /* Now re-setup the tvb buffer to have the new data */ next_tvb = tvb_new_real_data(Op_Buffer, O_SizeInBits/8, O_SizeInBits/8); tvb_set_child_real_data_tvbuff(tvb, next_tvb); add_new_data_source(pInfoG, next_tvb, Decompressed Data); /* From here dissect next_tvb from offset 0 */ On Fri, 7 Oct 2011 13:51:13 +0400, Max Dmitrichenko dmitr...@gmail.com wrote: 2011/10/7 Marcel Haas inf...@fh-worms.de: And i have the next problem. Damn wireshark kick my ass :) I have some packets witch are compress witz zlib. I want to uncompress them. I read the dev-guid about transformed data but i dont have a clue. I were testing some stuff but with no good result. Can someone help me with that ? It is simple. 1) You have to know the size of decompressed data, e.g. in buffer_size variable. 2) Alloc the buffer of needed size for it using e.g. se_alloc, e.g. you have pointer to alloced buffer called buffer_ptr. 3) Decompress you data into that buffer. 4) call child_tvb = tvb_new_child_real_data(current_tvb, buffer_ptr, buffer_size, buffer_size); 5) call add_new_data_source(pinfo, child_tvb, Decompressed Data); 6*) Optionally you can dissect child_tvb as any usual TVB. In the GUI you'll get the decompressed data into another tab called Decompressed Data or any other name you provide in step 5. -- Max ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe hmm i dont get it at all .. my code looks like this : guint8 *buff; tvbuff_t *compress_tvb; int captured_size; captured_size=tvb_length_remaining(tvb, offset2); //I think that what u mean by 1 buff= g_malloc(captured_size); // step 2 ? compress_tvb=tvb_new_real_data(buff,captured_size,captured_size);// step 4 ? tvb_set_free_cb(compress_tvb,g_free); // step 4 ? tvb_set_child_real_data_tvbuff(tvb,compress_tvb); // step 4 ? add_new_data_source(pinfo,compress_tvb,Decompressed TVB); //step 5 ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Decompress Data
On Fri, 7 Oct 2011 13:21:15 +0200, fa...@freesurf.fr wrote: I have a example from my plugin if it may help: unsigned char Ip_Buffer[2000]; /* Get the buffer bytes to decompress */ tvb_memcpy(tvb, Ip_Buffer, (*bitoffset)/8,lgpdubit/8); /* * Decompress it: * Decompressed buffer is output in Op_Buffer, * size of the decompressed buffer (in bit in this case) in SizeInBits */ */ rc = decompress(Ip_Buffer, lgpdubit - ((8-bitnb) % 8), (Op_Buffer), O_SizeInBits); /* Now re-setup the tvb buffer to have the new data */ next_tvb = tvb_new_real_data(Op_Buffer, O_SizeInBits/8, O_SizeInBits/8); tvb_set_child_real_data_tvbuff(tvb, next_tvb); add_new_data_source(pInfoG, next_tvb, Decompressed Data); /* From here dissect next_tvb from offset 0 */ Where u get the decompress function and what type does rc have .. ? On Fri, 7 Oct 2011 13:51:13 +0400, Max Dmitrichenko dmitr...@gmail.com wrote: 2011/10/7 Marcel Haas inf...@fh-worms.de: And i have the next problem. Damn wireshark kick my ass :) I have some packets witch are compress witz zlib. I want to uncompress them. I read the dev-guid about transformed data but i dont have a clue. I were testing some stuff but with no good result. Can someone help me with that ? It is simple. 1) You have to know the size of decompressed data, e.g. in buffer_size variable. 2) Alloc the buffer of needed size for it using e.g. se_alloc, e.g. you have pointer to alloced buffer called buffer_ptr. 3) Decompress you data into that buffer. 4) call child_tvb = tvb_new_child_real_data(current_tvb, buffer_ptr, buffer_size, buffer_size); 5) call add_new_data_source(pinfo, child_tvb, Decompressed Data); 6*) Optionally you can dissect child_tvb as any usual TVB. In the GUI you'll get the decompressed data into another tab called Decompressed Data or any other name you provide in step 5. -- Max ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe hmm i dont get it at all .. my code looks like this : guint8 *buff; tvbuff_t *compress_tvb; int captured_size; captured_size=tvb_length_remaining(tvb, offset2); //I think that what u mean by 1 buff= g_malloc(captured_size); // step 2 ? compress_tvb=tvb_new_real_data(buff,captured_size,captured_size);// step 4 ? tvb_set_free_cb(compress_tvb,g_free); // step 4 ? tvb_set_child_real_data_tvbuff(tvb,compress_tvb); // step 4 ? add_new_data_source(pinfo,compress_tvb,Decompressed TVB); //step 5 ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Decompress Data
On Fri, Oct 07, 2011 at 11:31:24AM +0200, Marcel Haas wrote: I have some packets witch are compress witz zlib. I want to uncompress them. Take a look at the tvb_uncompress() or tvb_child_uncompress() functions in epan/tvbuff.c. An example of tvb_child_uncompress() is in the HTTP dissector, epan/dissectors/packet-http.c. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
